CapsAdmin PAC3 http.lua cross site scripting
Description
A vulnerability was found in CapsAdmin PAC3. It has been rated as problematic. Affected by this issue is some unknown functionality of the file lua/pac3/core/shared/http.lua. The manipulation of the argument url leads to cross site scripting. The attack may be launched remotely. The patch is identified as 8fc9e12dfa21d757be6eb4194c763e848b299ac0. It is recommended to apply a patch to fix this issue. VDB-217646 is the identifier assigned to this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CapsAdmin PAC3's http.lua had an XSS vulnerability where the url argument was not sanitized, allowing remote attackers to inject arbitrary HTML/JavaScript.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in CapsAdmin PAC3, specifically in the file lua/pac3/core/shared/http.lua. The function pac.FixUrl did not properly sanitize user-supplied input passed via the url argument. This allowed an attacker to inject malicious HTML or JavaScript code, leading to XSS. The issue was addressed in commit 8fc9e12 [2] and pull request #1210 [1]. The vulnerability affects all versions prior to the patch.
Exploitation
An attacker can remotely trigger the vulnerability by sending a crafted URL containing malicious characters such as ", ', <, >, or newline characters to the vulnerable endpoint. No authentication or special privileges are required, as the attack can be launched over the network. The exploitation involves manipulating the url argument in a request that reaches the http.lua file.
Impact
Successful exploitation allows an attacker to execute arbitrary HTML and JavaScript in the context of the victim's session. This could lead to session hijacking, defacement, or theft of sensitive information. The impact is limited to the PAC3 environment and the user's browser context.
Mitigation
The fix was implemented in commit 8fc9e12dfa21d757be6eb4194c763e848b299ac0 [2]. Users should update to the latest version of PAC3 that includes this patch. No workarounds have been publicly disclosed, and the patch is considered the recommended mitigation. The vulnerability is identified as VDB-217646.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- CapsAdmin/PAC3v5Range: n/a
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
4- github.com/CapsAdmin/pac3/commit/8fc9e12dfa21d757be6eb4194c763e848b299ac0mitrepatch
- github.com/CapsAdmin/pac3/pull/1210mitreissue-tracking
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.